Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted

doskanoness · March 23, 2022, 2:36pm

Hey, I’m trying to run LXC systemd container on the OpenRC Gentoo system with cgroupv2:

doskanoness@lxc-gentoo ~ $ lxc-ls
bar  
doskanoness@lxc-gentoo ~ $ lxc-start -n bar
doskanoness@lxc-gentoo ~ $ lxc-start -n bar -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...
doskanoness@lxc-gentoo ~ $ cat /proc/self/cgroup 
0::/sshd

When I run containers as root, everything works. Any ideas what could be wrong? What’s the Delegate=yes equivalent on the non-systemd distros?

Any help is appreciated

stgraber · March 23, 2022, 2:48pm

That will need some manual setup unless you can find a script which does it for you.
Basically you’d need root to crate you a /sys/fs/cgroup/user.doskanoness cgroup or something similar, then chown it over to you and move your shell’s PID into it.

At that point, lxc-start should be able to detect that and since you now own that cgroup, will be able to create its own entries in there for the container.

doskanoness · March 27, 2022, 9:22pm

Okay, I get it. Now both systemd and non-systemd containers work. I switched to cgroups v2 and let libcgroup manage them. There was necessary to let libcgroup and cgrulesengd daemon manage cgroups.

My config:

┌─[doskanoness@gentoo] - [~] - [2022-03-27 11:16:21]
└─[0] <> cat /etc/cgroup/cgconfig.conf                                                                                                                                        ⚡[▶▶▶▶▶▶▶▶▶▷]
#
#  Copyright IBM Corporation. 2007
#
#  Authors:     Balbir Singh <balbir@linux.vnet.ibm.com>
#  This program is free software; you can redistribute it and/or modify it
#  under the terms of version 2.1 of the GNU Lesser General Public License
#  as published by the Free Software Foundation.
#
#  This program is distributed in the hope that it would be useful, but
#  WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
#group daemons/www {
#       perm {
#               task {
#                       uid = root;
#                       gid = webmaster;
#               }
#               admin {
#                       uid = root;
#                       gid = root;
#               }
#       }
#       cpu {
#               cpu.shares = 1000;
#       }
#}
#
#group daemons/ftp {
#       perm {
#               task {
#                       uid = root;
#                       gid = ftpmaster;
#               }
#               admin {
#                       uid = root;
#                       gid = root;
#               }
#       }
#       cpu {
#               cpu.shares = 500;
#       }
#}
#
#mount {
#       cpu = /mnt/cgroups/cpu;
#       cpuacct = /mnt/cgroups/cpuacct;
#}
#
group doskanoness {
        perm {
                task {
                        uid = doskanoness;
                        gid = doskanoness;
                }
                admin {
                        uid = doskanoness;
                        gid = doskanoness;
                }
        }
        cpu {}
        cpuset {}
        hugetlb {}
        io {}
        memory {}
        pids {}
}
┌─[doskanoness@gentoo] - [~] - [2022-03-27 11:15:30]
└─[0] <> cat /etc/cgroup/cgrules.conf                                                                                                                                         ⚡[▶▶▶▶▶▶▶▶▶▷]
# /etc/cgrules.conf
#The format of this file is described in cgrules.conf(5)
#manual page.
#
# Example:
#<user>         <controllers>   <destination>
#@student       cpu,memory      usergroup/student/
#peter          cpu             test1/
#%              memory          test2/
# Terminal
doskanoness:/usr/bin/konsole            *               doskanoness
# LXC
doskanoness:/usr/bin/lxc-attach         *               doskanoness
doskanoness:/usr/bin/lxc-autostart      *               doskanoness
doskanoness:/usr/bin/lxc-cgroup         *               doskanoness
doskanoness:/usr/bin/lxc-checkconfig    *               doskanoness
doskanoness:/usr/bin/lxc-checkpoint     *               doskanoness
doskanoness:/usr/bin/lxc-config         *               doskanoness
doskanoness:/usr/bin/lxc-console        *               doskanoness
doskanoness:/usr/bin/lxc-copy           *               doskanoness
doskanoness:/usr/bin/lxc-create         *               doskanoness
doskanoness:/usr/bin/lxc-destroy        *               doskanoness
doskanoness:/usr/bin/lxc-device         *               doskanoness
doskanoness:/usr/bin/lxc-execute        *               doskanoness
doskanoness:/usr/bin/lxc-freeze         *               doskanoness
doskanoness:/usr/bin/lxc-info           *               doskanoness
doskanoness:/usr/bin/lxc-ls             *               doskanoness
doskanoness:/usr/bin/lxc-monitor        *               doskanoness
doskanoness:/usr/bin/lxc-snapshot       *               doskanoness
doskanoness:/usr/bin/lxc-start          *               doskanoness
doskanoness:/usr/bin/lxc-stop           *               doskanoness
doskanoness:/usr/bin/lxc-top            *               doskanoness
doskanoness:/usr/bin/lxc-unfreeze       *               doskanoness
doskanoness:/usr/bin/lxc-unshare        *               doskanoness
doskanoness:/usr/bin/lxc-update-config  *               doskanoness
doskanoness:/usr/bin/lxc-usernsexec     *               doskanoness
doskanoness:/usr/bin/lxc-wait           *               doskanoness
# Code editors
doskanoness:/usr/bin/vscode             *               doskanoness
doskanoness:/usr/bin/subl               *               doskanoness
doskanoness:/usr/bin/atom               *               doskanoness
doskanoness:/usr/bin/kate               *               doskanoness
doskanoness:/usr/bin/vim                *               doskanoness
doskanoness:/usr/bin/nano               *               doskanoness
# IDEs
doskanoness:/home/doskanoness/clion-2021.2.3/bin/clion.sh               *               doskanoness
doskanoness:/home/doskanoness/pycharm-2021.2.3/bin/pycharm.sh           *               doskanoness
doskanoness:/home/doskanoness/RubyMine-2021.2.3/bin/rubymine.sh         *               doskanoness
doskanoness:/home/doskanoness/WebStorm-212.5457.55/bin/webstorm.sh      *               doskanoness
doskanoness:/home/doskanoness/DataGrip-2021.3.1/bin/datagrip.sh         *               doskanoness
# End of file

I hope this advice will help non-systemd Linux distributions users to make non-privileged LXC containers, both with and without systemd working in their systems.

I’m going to add my advice here however I’d like to know what LXC forums users think about my steps.